Authors:
(1) Harshvardhan J[email protected]))
(2) Jan Lindquist, Privacy and Security Group, Standards Institute, Sweden ([email protected]);
(3) Georg P. KROG, Signatu AS, OSLO, Norway ([email protected]).
Links table
Abstract and 1 introduction
2 ISO/IEC TS 27560: 2023
3 comparison ISO-27560, ISO-29184 and GDPR
4 approval and receipts records using DPV
5 GDP support and DGA
6 considerations of implementation and future work
6.1 Confidence and Security
6.2 Use records and receipts with Eidas and EUDI
6.3 Standard for PII processing information and 6.4 technical considerations in record and receipts management
6.5 IEEE P7012 Automated Privacy Conditions
7 conclusion and references
An example of the approval record with both the required and optional fields
B example of receiving approval with the required fields from the approval record
5 GDP support and DGA
Using ISO-27560 and ISO-29184 within the legal framework of the European UnionISO27560 and ISO-29184 are developed and governed by ISO (ISO), which is not special for European Union regulations and terminology. To support its use in legal frameworks, it must be approved as “ERONORM” (EN) through the European Union Unification Authority such as CENELC or ESO. Currently, ISO-29184 has already been approved as en, and we are working on a proposal with Irish and Swedish national bodies to recommend the adoption of ISO-27560 as EN. Moreover, we also made a proposal to the relevant ISO committees to make the ISO-27560 standard to be freely accessible because its guidelines are valuable for responsible innovation.
The presence of these standards as en provides a strong framework for use in regulations, such as notice and approval under GDP. However, just adopting the standards on the basis “as” will not be enough. For example, terms in 29184 and GDPR have decisive differences that must be determined and directed to enable the ISO-29184 use with gross domestic product [13]. Likewise, to address the current issues related to approval [10,9] Additional studies are required to evaluate the extent of these standards in resolving current issues and what additional measures that must be adopted to be beyond conformity with the standards.
Show approval under GDP: The gross domestic product of Article 7-1 creates an commitment to data control units to maintain approval information and maintain its update in order to show the place of granting approval, rejects or withdrawing it. ISO-27560 provides standard for the joint technical structure to support the implementation of this commitment. In addition, Article 13 of GDP and Article 14, among other things, requires saving records of what was submitted to individuals in order to implement informed approval. ISO-29184 provides a criterion for describing privacy notifications, and allows ISO-27560 to keep records of the information provided and the resulting approval decisions. Based on the analysis mentioned in this article that explains the ability of the ISO-27560 and ISO-29184 to GDP, we recommend that the authorities be proposed to use these standards to support compliance with GDP.
Relatives to support rights under GDPISO-27560 contains fields to recognize existing rights, and with DPV, we can express how/where to practice it and what information is required (for example verification of identity). Moreover, approval decisions (for example, withdrawing them) are also personal data on the topic of data, thus subject to rights such as ART.20 data transmission. This can be a way to enable the use of receipts under GDP even when it is not explicitly defined as a concept by looking at approval information as personal data. Consider approval information because personal data makes it subject to the right to data transmission under Article 20, which requires providing “organized coordination, commonly used and readable”. Moreover, Article 20 also provides “the right to transfer this data to another console”, which can be used to transfer approval decisions from one controller to another – a decisive mechanism to implement the reuse of data and altruism under DGA.
A common approval form under DGAArticle 25 of DGA requires the committee to provide a joint approval form that would provide information in both the human reading and machine models. ISO-27560 should be used with ISO-29184, based on the analysis in this article, which indicates its usefulness to meet the requirements of gross domestic product, to determine the information that must be present in these models. ISO-29184 provides a criterion for privacy notifications for human information in the approval form, the ISO-27560 and DPV application provides automatic reading representation. The advantage of using these criteria is that the resulting solution will be useful not only in the European Union but globally due to the global range of ISO. The DPV use feature here is to provide common indications of W3C standards that support extensions for specific judicial authorities (such as the European Union with GDP and DGA) and its wide classification that supports practical use cases that enhance the inter -operation process. Through direct meetings, we presented this work to the unity of the European Union Committee G.1, which takes care of the applications of GDP and DGA.
Data brokers under DGAWe are also working on more applications to support DGA by developing specific technical specifications that define how to keep data brokers approval records and issuance of receipts, and support them in their duties by providing a way to express requests for re -use of data in an automatic readable model that can be matched with approval to ensure that the purposes are compatible with GDPR. This will be based on the current work [1] Which uses the W3C Digital Rights Language Standard (ODRL) [3] To represent policies and agreements, and use them with DPV to create specific DGA offers for data topics and data brokers to refer to the available data for re -use and under any conditions, requests for data users to indicate the data they are looking for, and agreements to represent the conditions that have been approved to re -use data. We have already shown the feasibility of using the ODRL and DPV for such an approach in a way that improves technical and organizational processes to share genetic health data groups [11].
Reuse data and altruism under DGA: To support the DGA goals to reuse data for altruism, we work to create a classification for altruism purposes within DPV and develop a framework to express it in a way that is compatible with the requirements of GDP for approval and maintaining information on the basis of ISO-27560. We are also working on new methods such as the assessment of the ISO-27560 specific approval records with the information required in assessing the effect of data protection (DPIA), through which we aim by enabling data topics or data brokers from their DPIAS management based on a joint record and risk of disposal of DPV. Through this, we aim to create responsible practices while promoting the reuse of data and altruism.
